BUSINESS ASSOCIATE AGREEMENT
This BUSINESS ASSOCIATE AGREEMENT (“BAA”) is entered into as of December____2022, by and between Total Travel System, LLC (“TTS”) and [name of vendor] (“Contractor”). RECITALS A. TTS intends to disclose to Contractor and to have Contractor receive or access certain Protected Health Information (“PHI”), as defined in Article 1 of this BAA, in order for Contractor to provide certain services to TTS (the “Services”) in accordance with one or more current and future agreements between the parties (the “Agreements”). The parties anticipate that Contractor will be required to access, create, receive, maintain, or transmit such PHI in order to provide the Services to TTS in accordance with the Agreements. In the event of conflict between the Agreements and this BAA, the provisions of this BAA shall prevail. B. Contractor will qualify as a “Business Associate” under the HIPAA Rules when acting in its capacity as a service provider under the Agreements. The HIPAA Rules include the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule” at 45 CFR Part 160 and Part 164, Subparts A and E), the Standards for Security of Electronic Protected Health Information (the “Security Rule” at 45 CFR Parts 160 and 164, Subpart C), Breach Notification for Unsecured Protected Health Information (the “Breach Notification Rule” at 45 CFR Parts 160 and 164), and the Enforcement Rules at 45 CFR Part 160, Subparts C-E, as each of the foregoing may be amended or supplemented. To the extent Contractor acts in its capacity as a Business Associate to TTS, Contractor shall adhere to the applicable requirements for Business Associates established in the HIPAA Rules. C. The purpose of this BAA is for Contractor to provide the satisfactory assurances required by HIPAA and the HIPAA Rules that Contractor will appropriately safeguard PHI it receives or accesses in the course of providing the Services, and to further define the parties’ rights and responsibilities for the exchange of PHI. NOW, THEREFORE, the parties, in consideration of the mutual agreements herein contained and for other good and valuable consideration, the receipt and adequacy of which are hereby acknowledged, do hereby agree as follows: ARTICLE 1: DEFINITIONS 1.1 Definitions. For the purposes of this BAA, the following terms shall have the meaning as defined in the HIPAA Rules: Administrative Safeguards, Breach, Business Associate, Covered Entity, Data Aggregation, Designated Record Set, Disclosure, Health Care Operations, Individual, Minimum Necessary, Notice of Privacy Practices, Physical Safeguards, Protected Health Information, Required By Law, Secretary, Security Incident, Subcontractor, Technical Safeguards, Unsecured Protected Health Information, and Use. The following terms shall have the meanings set forth below. a. “Electronic Media” shall mean the mode by which any electronic transfers of information are made. It includes the Internet, an intranet, an extranet, leased lines, dial-up-lines, private networks, and those transfers that are physically moved from one location to another using any data storage device, cloud storage, or other media. b. “Electronic Protected Health Information” or “Electronic PHI” shall mean PHI that is received or transmitted by or maintained in any Electronic Media. ARTICLE 2: DUTIES OF CONTRACTOR REGARDING USE AND DISCLOSURE OF PHI 2.1 Receipt and Use of PHI. Satisfactory performance of its obligations under the Agreements by Contractor will require Contractor to access, receive or use PHI obtained from TTS and/or other sources. Contractor shall not use PHI except as permitted or required by this BAA or as permitted or required by law. Contractor shall use PHI consistent with the HIPAA Rules, including using PHI (i) to perform or improve its Services as specified under the Agreements, provided that such use does not violate HIPAA, (ii) for Contractor’s proper internal management and administration, and (iii) to carry out the legal responsibilities of Contractor. In all instances, Contractor’s use of PHI shall be consistent with minimum necessary requirements in the HIPAA Rules. Contractor shall require all of its employees to whom Contractor furnishes any PHI, to agree to be bound, and to abide in all respects by, all of the obligations of Contractor under the HIPAA Rules, the Agreements and this BAA to protect PHI, including, but not limited to, the use of reasonable and appropriate safeguards to protect PHI. 2.2 Disclosure of PHI. Contractor shall not disclose PHI except as permitted or required by this BAA, the Agreements, or as permitted or required by law. Contractor shall make permissible disclosures of PHI consistent with the HIPAA Rules. Specifically, unless otherwise permitted by the Agreements or this BAA, Contractor may disclose PHI only (i) for Contractor’s proper internal management and administration, or (ii) to carry out the legal responsibilities of Contractor. In either such case, Contractor shall make no such disclosure unless: (a) the disclosure is permitted or required by law; or (b) Contractor obtains reasonable assurances from the person to whom Contractor discloses the PHI that the PHI will be held confidentially, that the information will be used or further disclosed only as required by law or for the purposes for which it was disclosed, and that the person receiving such disclosure covenants that it shall notify Contractor as required by law of any instances of which it is or becomes aware that the confidentiality of the PHI has been Breached. In all instances, Contractor’s disclosure of PHI shall be consistent with minimum necessary requirements in the HIPAA Rules. 2.3 Safeguarding PHI. Contractor shall use appropriate Administrative Safeguards, Physical Safeguards and Technical Safeguards to prevent the use or disclosure of PHI other than as permitted by this BAA or the Agreements. Contractor shall maintain an appropriate level of security with regard to all personnel, systems, and administrative processes used by Contractor to transmit, store, process, or otherwise handle PHI. Contractor shall not transmit PHI over any open network unless the transmission is encrypted or otherwise secured according to the appropriate standard of care. Accordingly, Contractor agrees to (i) implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic PHI that it creates, receives, maintains, or transmits on behalf of TTS as required by Section 164.314(a) of the Security Rule; and (ii) require that any agent or Subcontractor to whom Contractor delegates any function or activity agrees to implement reasonable and appropriate safeguards to protect Electronic PHI received from Contractor. Further, to the extent that Contractor conducts any Transaction (as defined in 45 CFR 160.103) electronically on behalf of TTS, it will comply with the applicable requirements in the Standards for Electronic Transactions under 45 CFR Parts 160 and 162. 2.4 Third Party Agreements. Under certain circumstances, Contractor may need to enter into agreements with third parties, including Subcontractors, in order to satisfy its obligations under the Agreements. Contractor shall enter into business associate agreements with all Subcontractors as required by the HIPAA Rules. Contractor shall require all of its agents and Subcontractors to whom it delegates any Services to be performed for TTS under the Agreements, including creation, receipt, maintenance or transmission of PHI, and to whom Contractor furnishes any PHI, to agree in writing to be bound, and to abide in all respects by, all of the obligations of Contractor under the HIPAA Rules, the Agreements and this BAA to protect PHI, including, but not limited to, the obligations to implement reasonable and appropriate safeguards to protect PHI. 2.5 Reporting of Unauthorized Uses and Disclosures. (a) Contractor shall promptly notify TTS in writing upon becoming aware of any use or disclosure of PHI by Contractor, its employees, agents or Subcontractors that is not provided for in this BAA and any Security Incident involving PHI obtained from TTS. In addition, in accordance with the requirements of the HIPAA Rules, Contractor must notify TTS in writing of all Breaches of Unsecured PHI as soon as feasible after becoming aware of the Breach. Within ten (10) business days after becoming aware of the Breach of Unsecured PHI, Contractor shall provide to TTS in writing the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by Contractor to have been accessed, acquired, or disclosed during such Breach. Such identification shall include a description of the Unsecured PHI involved in the Breach and all demographic information in Contractor’s possession necessary to notify the affected Individuals of the Breach. (b) Contractor shall reimburse TTS for TTS’s reasonable expenses incurred in complying with all applicable federal, state and local notification laws, rules and regulations arising out of or relating to unauthorized use or disclosure of PHI by Contractor, its agents, Subcontractors or employees. (c) In consultation with TTS, Contractor shall promptly seek to cure or mitigate, to the extent practicable, any harmful effects of an unauthorized use or disclosure of Unsecured PHI that are either known to Contractor or may reasonably be anticipated. If Contractor is unable or unwilling to promptly cure or mitigate the effects of such unauthorized use or disclosure, such inability or unwillingness shall constitute a material breach of the Contractor’s obligations under this BAA, notwithstanding any other provision in the Agreements or this BAA, and TTS shall have the right in its sole and absolute discretion to terminate for cause one or more of the Agreements to which this BAA relates. (d) Notwithstanding anything to the contrary contained in this BAA, the Agreements to which it relates, and any agreement regarding confidential information, TTS shall report Breaches of Unsecured PHI to the Secretary. 2.6 Access to Information. Within ten (10) business days of TTS’s written request, Contractor shall provide TTS with access to PHI in Contractor’s possession, if such PHI is contained in a Designated Record Set, in accordance with the requirements of 45 CFR 164.524. 2.7 Availability of PHI for Amendment by Patient. The parties acknowledge that the Privacy Rule permits an Individual who is the subject of PHI to request certain amendments of his or her records. Within ten (10) business days of a written request by TTS for the amendment of PHI contained in a record regarding an Individual maintained by Contractor in a Designated Record Set, Contractor shall provide such information to TTS for amendment, and Contractor shall incorporate any such amendments in the PHI as required by 45 CFR 164.526. In the event Contractor receives a request for amendment directly from an Individual or Individual’s designee, Contractor shall inform TTS of such request within ten (10) business days and respond to the Individual and incorporate the amendment, if it is acceptable, within thirty (30) days of receiving the request. Contractor shall concurrently send a copy of the response to TTS. 2.8 Accounting of Disclosures. Upon TTS’s written request, Contractor shall make available to TTS information concerning Contractor’s disclosure of PHI that is required for TTS to provide an Individual with an accounting of disclosures as required by the Privacy Rule, in accordance with 45 CFR 164.528. For this purpose, Contractor shall retain a record of disclosures of PHI for at least six (6) years from the date of disclosure. For purposes of this provision, disclosure shall include any access to the PHI by Contractor, its employees, agents and Subcontractors. In the event Contractor receives a request for an accounting of disclosures directly from an Individual or Individual’s designee, Contractor shall inform TTS of such request within ten (10) business days and respond to the Individual and provide the accounting of disclosures in accordance with the applicable HIPAA Rules. Contractor shall concurrently send a copy of the response to TTS. 2.9 Availability of Books and Records. Contractor shall make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules. 2.10 Return of PHI at Termination. Upon termination of the Agreements or completion of the Services, Contractor shall, where feasible, destroy or return to TTS all PHI received from TTS, or created, maintained, or received by Contractor on behalf of TTS that Contractor maintains in any form. Where return or destruction is not feasible, the duties of Contractor under this BAA shall be extended to protect the PHI retained by Contractor. Contractor agrees not to further use or disclose information for which the return or destruction is infeasible. Contractor shall certify in writing the destruction of the PHI and to the continued protection of PHI that is not feasible to destroy. The obligations of Contractor under this Section 2.10 shall survive the termination of this BAA. ARTICLE 3: REPRESENTATIONS OF TTS 3.1 Obtaining Patient Permission. TTS represents and warrants that, where applicable, it has obtained patient and individual permissions, consents, or authorizations, required under federal and state law that are necessary for Contractor to receive, use, and disclose PHI as contemplated under this BAA and the Agreements. 3.2 Furnishing Appropriate Patient Notice. TTS represents and warrants that it has undertaken steps necessary to adequately inform its patients, as required by state and federal law, about the disclosure of PHI to Contractor and Contractor’s use and disclosure of such information. Such notification shall include, but is not limited to, distribution of a Notice of Privacy Practices. ARTICLE 4: TERM AND TERMINATION 4.1 Basic Term. This BAA shall be effective, and the parties’ performance of their respective obligations under this BAA shall commence, as of the date it is executed by the parties and shall continue in effect until the later of (i) completion of the Services by Contractor, (ii) Contractor has returned or destroyed all PHI and certified thereto to TTS as provided under Section 2.10, above, or (iii) termination by the parties upon mutual written agreement. 4.2 Termination for Material Breach. A material breach of this BAA which is not addressed within thirty (30) days of written notice to the breaching party is grounds for termination for cause under the provisions of the Agreements. The dispute resolution provisions of each respective Agreement shall apply to any disagreement between the parties as to whether Contractor has materially breached this BAA or failed to cure such breach. ARTICLE 5: MISCELLANEOUS 5.1 Change in Laws. The parties agree to negotiate in good faith if, in either party’s business judgment, modification of this BAA becomes necessary due to legislative, regulatory, or judicial developments regarding HIPAA, the HIPAA Rules, or other privacy laws, rules or regulations. 5.2 Incorporation by Reference. The terms and provisions of HIPAA and the HIPAA Rules are incorporated herein by reference as if set forth herein at length. To the extent any provision thereof is not specifically set forth herein, such provision shall be deemed a part of this BAA and to the extent there shall be any inconsistency between the terms and provisions hereof and those set forth in HIPAA or the HIPAA Rules, the provisions of HIPAA and/or the HIPAA Rules shall prevail. 5.3 Interpretation, Integration, Amendment. Paragraph titles are for convenience only, and shall not be used in interpreting this BAA. This BAA contains the entire agreement of the parties and replaces all BAAs between the parties, as well as any prior conversations, notes or writings previously made with respect to the subject matter hereof, and shall not be modified or amended except in writing signed by the parties hereto. 5.4 Notices. All notices affecting this BAA must be in writing and sent to the individual(s) designated below for each party. The notices must be delivered in person or sent by nationally recognized overnight courier. Notice is effective on the date of receipt if delivered in person and on the date of first attempted delivery if delivered by nationally recognized overnight courier. A party may provide notice of change to the contact information for individual(s) to be notified under this provision by like notice. Notices shall be delivered or sent to the following addresses: To TTS: Total Travel System, LLC 2554 Needmore Road Dayton, Ohio 45414 5.5 Counterparts. This BAA may be executed in counterparts that, together, shall constitute one and the same BAA. Under the federal Electronic Signatures in Global and National Commerce Act, "digital contracts" that individuals agree to online have the same legal status as pen-and paper contracts. The Act defines an electronic signature as an electronic "sound, symbol, or process" attached to a contract or other record which was "executed or adopted by a person with the intent to sign the record." |